What does a GTM audit check for?

Our Google Tag Manager audit runs 44 automated checks across 5 categories: Tags (duplicate GA4 Config, orphaned tags, custom HTML without consent guards, legacy Universal Analytics), Triggers (duplicate triggers, staging URL leakage, missing engagement triggers), Variables (PII parameter leakage, unused variables, data layer variables without defaults), Consent Mode v2 (gtag consent default, region-correct signals, Google Ads consent gating), and Security & Governance (external/personal emails with publish rights, stale container versions, XSS patterns, Magecart supply-chain risk).

Will the GTM audit modify my live container?

No. The audit is read-only. When you trigger an automated fix, NiceLookingData creates a temporary shadow workspace, injects the change, and opens a version for you to review. You always retain publish control — the live container is never mutated without your explicit approval.

How does the audit detect GTM Magecart and XSS risk?

We scan all Custom HTML tags for inline script patterns matching known Magecart skimmer signatures and XSS injection points. We also flag Custom HTML tags that fire without a Consent Mode v2 guard — a common vector for unauthorized third-party script execution after a CMP update.

Do I need GTM admin access to run the audit?

You need at least Read permission on the container. The audit pulls your container configuration via the Tag Manager API using your Google login. For automated fixes (shadow workspace creation), you need Edit access. We never request Publish access.

How is this different from the GTM Preview mode?

Preview mode shows you what fires on a single page during a debug session. Our GTM audit reads your entire container configuration and flags structural issues you cannot see from Preview alone — duplicate Config tags across triggers, orphaned tags with no triggers, external Gmail accounts with publish rights, container versions older than 90 days, and PII leakage in variable definitions.

NiceLookingData.

Audit any URL Start free Sign in

Product · GTM audit

The analyst
who audits
your container.

44 automated checks across tags, triggers, variables, Consent Mode v2, and security & governance — the scan a senior GTM consultant runs on engagement day one. Shadow-workspace only. Never mutates your live container.

Connect GTM See sample report

Checks

Watching

24/7

Cost

Zero risk

Always

Sample report

Container audit.
Score 68 of 100.

Redacted from a real container. One critical security flag, five warnings, 5 passed — each with a one-click fix path. Fixes land in a sandbox copy of your container — your live tags are never touched until you publish.

Overall

of 100

Passed5

Warnings7

Critical3

Container

acme-web
GTM-WJ4KP9
v42 · Apr 19

All checksCriticalWarningsPassed

export · PDF

Tags

Duplicate GA4 configuration tags

CRIT

01

Tags

Custom HTML tags without consent guards

WARN

02

Tags

Orphaned tags (no trigger)

WARN

03

Tags

Legacy Universal Analytics tags

WARN

04

Tags

Inconsistent tag naming convention

05

Triggers

Duplicate triggers

WARN

06

Triggers

Staging URL leakage

WARN

07

Triggers

No engagement triggers

08

Variables

Severe PII parameter leakage risk

CRIT

09

Variables

Unused variables

WARN

10

Variables

Data layer variables without defaults

11

Consent Mode v2

No consent mode configuration

12

Consent Mode v2

Missing Consent Mode v2 parameters

13

Security & governance

External/personal emails with publish rights

CRIT

14

Security & governance

Stale container version

WARN

15

Why containers go bad

Containers rot
silently.

Five marketers, three agencies, two years later — your container has 40 tags, 15 unused, and a custom HTML nobody remembers approving. We find what shouldn't be there.

Rogue custom HTML

Flags custom HTML tags that could exfiltrate data or inject third-party scripts.

Orphaned tags

Finds unused tags cluttering the container, slowing the site, and increasing review surface.

Consent gaps

Catches marketing pixels firing without consent — GDPR/CCPA exposure in plain sight.

Pair with GA4

The bugs that live
between them.

A GTM audit alone catches container-level bugs. Pair it with a GA4 audit and we add a 6th Integration chapter with 3 cross-checks that catch the bugs living between the two products — the ones that silently corrupt your revenue reporting. Included on every plan.

CROSS-001

Measurement ID drift.

Flags when your GTM container ships a GA4 ID that no longer matches your property.

CROSS-002

Key event coverage.

Flags events firing in GTM with no matching key event configured in GA4 — invisible to Google Ads.

CROSS-003

Duplicate tag firing.

Flags multiple tags emitting the same event — the classic cause of double-counted purchases.

Explore GA4 audit See every chore we automate Scored into a 6th Integration chapter on your GA4 report

Ready?

Run your first GTM audit.
Zero risk.

Connect GTM

The analystwho auditsyour container.

Container audit.Score 68 of 100.

Containers rotsilently.

The bugs that livebetween them.

Measurement ID drift.

Key event coverage.

Duplicate tag firing.

The analystwho auditsyour container.

Container audit.Score 68 of 100.

Containers rotsilently.

The bugs that livebetween them.

Measurement ID drift.

Key event coverage.

Duplicate tag firing.

The analyst
who audits
your container.

Container audit.
Score 68 of 100.

Containers rot
silently.

The bugs that live
between them.

The analyst
who audits
your container.

Container audit.
Score 68 of 100.

Containers rot
silently.

The bugs that live
between them.